New Exploit for Unpatched Windows Flaw

The latest bit of malware takes advantage of the same Windows Metafile (files ending in .wmf) security hole that Security Fix warned about earlier this week, the one where Windows users can get infected just by clicking on a specially crafted link in an e-mail or visiting a Web site that hosts the malicious code.

The part that's different about this attack is that it's designed to generate slightly different program code each time the exploit is run -- creating a new threat with a random file size, non-WMF file extension (like .jpeg) and other variable tricks. The folks over at the SANS Internet Storm Center have more detailed information about the new exploit if you're interested.

This is a big deal because so far -- without a patch from Redmond to remedy this problem -- the major antivirus vendors have been the first lines of defense against this attack, and they have relied mainly on adding new signatures to their software to detect the latest threats each time a new one appears. But by changing the profile of the attack slightly with each iteration, the new exploit's random attack code has a far greater chance of slipping past software shields.

SANS said the random garbage added onto any attack code generated with the new exploit could make it very hard for anti-virus companies to develop signatures to detect the new threats.

Last week, I wrote about tests run by Andreas Marx of AV-Test.org that looked at the response time of various antivirus products to some of the largest computer worm outbreaks of 2005. This morning, Marx sent me an e-mail listing each of the products that now detect all 73 known versions of the old WMF exploit: those products included AntiVir, Avast!, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO, eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32, Norman, Panda, Sophos, Symantec, Trend Micro, and VirusBuster.

But, Marx said, "It looks like that some of the 100% companies have simply added detections for all of the files I've sent out, without actually have a generic detection in place, but instead of this, 73 different signatures to detect all 73 different files. That's not good."

Not good indeed, given the morphing abilities of this new exploit. I suspect the 2006 work year will begin a bit too soon for many network and computer defense professionals out there.